- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- WAN failover on 2 pppoe
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN failover on 2 pppoe
Hello,
I'm working on a F60E (v7.0.11 build0489) with 2 WAN connections.
They are both using PPPoE authentication, one of them is on VLAN 835.
The 2 connections work well individually but I can't find a way to configure them together with failover (not SDWAN).
The behaviour is pretty strange as even if I set same distance but different priorities this is always the WAN2 who handle traffic.
As you can guess WAN2 has to be my backup link and WAN1 my primary.
I tried link-monitor but it didn't help.
Here is part of my configuration.
(I temporarily disable WAN2)
config system interface
edit "wan1"
set vdom "root"
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set mode pppoe
set allowaccess ping https snmp
set status down
set type physical
set alias "OVH-SDSL"
set role wan
set snmp-index 2
set username "********"
set password ENC ********
next
edit "ORANGE-FIBRE"
set vdom "root"
set mode pppoe
set allowaccess ping https snmp http
set role wan
set snmp-index 18
set username "********"
set password ENC ********
set interface "wan1"
set vlanid 835
next
config system link-monitor
edit "ORANGE-FIBRE"
set srcintf "ORANGE-FIBRE"
set server "8.8.8.8"
next
edit "OVH-SDSL"
set srcintf "wan2"
set server "8.8.8.8"
next
end
If anybody know how to handle this case please tell me :)
Labels:
- Labels:
-
FortiGate
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you need "Orange-Fibre" to be the preferred link when both links are up and active in the route table, set a higher priority value for wan2 pppoe link(remember higher the priority value, least would be the preference)
Best regards,
Jin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your help.
This is what I did and it looks like there is an unexptected behaviour with 2 PPPoE connections.
I've already set up somehting very similar on another Fortigate (100D) which was using only one PPPoE connection and everything is working as expected (like you said).
Maybe I'm missing something but I was pretty surprised.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can check the route table after enabling both links. But if you only need one link as active all the time and other as backup, we could also think of setting a higher distance on one link which can act as secondary/backup.
Best regards,
Jin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
routing does not care about wether your interface does pppoe or not.
If you do not want to use sdwan you have to have two default routes with different prio/distance.
And you have to add both links to your internet policies.
Then primarily the default route (and with it the link) with the lowest prio/distance will be used and if that is not available the next higher one will be used.
It might thus be easier to achieve this using sdwan because then you only have to add both links as members of an sdwan zone and create an sdwan rule with manual member selection and add the members in the order you want them to be used. Then create some sdwan health check to enable the FGT to detect wether a link is down or not.
Then just use the sdwan interface in your internet polices and that's it. Sdwan will automagically take care for all the rest for you :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a reason you don't want to use SD-WAN?
Can you show us the routing table "get router info show routing-table all" and "show router static" when both links are up?
Also can you show us the relevant FW policy/policies allowing the traffic over both links?
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I really appreciate everyone help, thanks to all !
@jintrah_FTNT wrote:
you can check the route table after enabling both links. But if you only need one link as active all the time and other as backup, we could also think of setting a higher distance on one link which can act as secondary/backup.
That's an idea but it would be nice if I can keep monitoring both wan links (snmp from WAN).
I keep this option as something to try as monitoring backup link is not mandatory.
@sw2090 wrote:It might thus be easier to achieve this using sdwan because then you only have to add both links as members of an sdwan zone and create an sdwan rule with manual member selection and add the members in the order you want them to be used. Then create some sdwan health check to enable the FGT to detect wether a link is down or not.
Then just use the sdwan interface in your internet polices and that's it. Sdwan will automagically take care for all the rest for you :)
About SDWAN, I gave a try but I wasn't able to set 100% of traffic on a specific WAN, there is always a small part of traffic that go to WAN2 (1-99%). But as you said this looks like ok with sdwan health check.
I'll give a try !
@gfleming wrote:Is there a reason you don't want to use SD-WAN?
Can you show us the routing table "get router info show routing-table all" and "show router static" when both links are up?
Also can you show us the relevant FW policy/policies allowing the traffic over both links?
I'm using "zones" to get firewall rules easier to manage.
I'll post routing table as soon as I can give a try (Fortigate is in production, I'm not onsite ...).
I'm thinking about something else I saw on other theads, is the "Automatic gateway retrieval" on my 2 static routes can be a problem ?
Anyway @All, I'll try the different possibilities and give you feedbacks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To configure WAN failover on two PPPoE connections on a FortiGate with separate VLANs, you can follow these steps:
1. Configure both PPPoE connections on the FortiGate, assigning each connection to a separate VLAN interface.
2. Create a new virtual interface that will be used for the WAN failover. Go to Network > Interfaces and click Create New.
3. Select Virtual Interface and configure it with an IP address and subnet mask that is on the same network as the two PPPoE connections.
4. Go to Network > Static Routes and create a new route for the WAN failover. Set the destination IP address to 0.0.0.0/0 and set the next hop to the virtual interface that was created in step 3.
5. Go to Network > Interface > Physical and select the primary WAN interface (WAN1). Set the distance to 10 and the priority to 1.
6. Go to Network > Interface > VLAN and select the VLAN interface that is associated with WAN2. Set the distance to 20 and the priority to 2.
7. Go to Network > Policy Routes and create a new policy route for the WAN failover. Set the source interface to the virtual interface that was created in step 3, and set the destination interface to the physical WAN interface (WAN1). Set the service to ALL and set the gateway to the WAN2 VLAN interface.
These steps should configure the FortiGate to use WAN1 as the primary connection and WAN2 as the backup connection, with failover configured to automatically switch to the backup connection if the primary connection fails.
Thanks & Regards,
Faizal Emam
Faizal Emam
Thanks & Regards,Faizal Emam
Related Posts
- SDWAN HA failover time 91 Views
- Fortigate DNS Database (conditional DNS forwarder)... 83 Views
- Fortigates with PPPoE WAN suddenly need... 389 Views
- FGSP Dynamic Tunnel VPN in SD-WAN 219 Views
- choose between multiple ISP 177 Views
Labels
-
FortiGate
6,562 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
266 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
107 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.